---
title: "Arch Linux Installation Guide For Developers"
description: Sharing our process of installing Arch Linux for developers the way we do it in house
slug: arch-linux-installation-guide
date: 2022-05-04
image: https://www.lunasec.io/docs/img/clippy_arch.jpeg
keywords: [arch, arch-linux, install-guides]
tags: [developer-tools, install-guides, archlinux, arch]
authors: [gabe]

---
<!--
  ~ Copyright by LunaSec (owned by Refinery Labs, Inc)
  ~
  ~ Licensed under the Creative Commons Attribution-ShareAlike 4.0 International
  ~ (the "License"); you may not use this file except in compliance with the
  ~ License. You may obtain a copy of the License at
  ~
  ~ https://creativecommons.org/licenses/by-sa/4.0/legalcode
  ~
  ~ See the License for the specific language governing permissions and
  ~ limitations under the License.
  ~
-->
![Arch Linux Install](https://www.lunasec.io/docs/img/clippy_arch.jpeg)

## BTW we use Arch

Here at LunaSec not only have we been busy hacking, but we've also onboarded a couple new team members WOOHOO 🥳! Through the onboarding process, we realized there is an opportunity to
release our developer environment setup as a guide for the community.

We're sharing this guide to both show how we are using Arch Linux as Security Engineers at LunaSec and to give confidence to developers considering making the switch to Arch.

## Why is Arch the best operating system for developers?
Here are a few of the reasons why we decided to use Arch as our development environment:
- We have direct visibility and control down to the kernel
- We know what's on our system and only use what we deem necessary
- We can configure our environments to meet security standards quickly and seamlessly
- We have access to the latest packages for development

We found Arch to be that sweet spot between security, accessibility, and productivity. As an Open Source startup, using Open Source software is
fundamental to our values and culture as security professionals.

<!--truncate-->

Lastly before we begin, here's a friendly shout out to Michael Picht for his [guide](https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/) over at nerdstuff.org.
We referenced it while compiling our own guide and found it very helpful in our work, thanks again Michael 👏.

## Preparing For the Install

Grab the version of [Arch](https://archlinux.org/download/) you would like to install. Create a bootable USB of the Arch Image you downloaded.
( [Etcher](https://www.balena.io/etcher/) is available for Linux or [Rufus](https://rufus.ie/en/) for Windows to make your USB boot image. For further guidance please refer to
the [Arch Wiki](https://wiki.archlinux.org/title/USB_flash_installation_medium).)
:::note
Verify secure boot is disabled in the BIOS before continuing to the next steps.
:::
## What We're Installing
- A UEFI boot partition using [systemd-boot](https://wiki.archlinux.org/title/Systemd-boot)
- An Arch Linux partition with [BTRFS](https://wiki.archlinux.org/title/Btrfs). Encrypted with [LUKS](https://gitlab.com/cryptsetup/cryptsetup) luks2


## Beginning the Install
Plug in your Arch USB image from the previous step and boot into it from your BIOS. From here, you'll be using the terminal.

We recommend installing via SSH to streamline copying over commands.

To do this you'll connect to the Internet using the [iwctl](https://man.archlinux.org/man/community/iwd/iwctl.1.en) tool to connect to your WIFI.

Open up the iwctl tool:

    iwctl

Search for your wireless adapter:

    device list

Scan your local networks with your wireless adapter (wlan0):

    station wlan0 get-networks

Connect to your network:

    station wlan0 connect YOUR_NETWORK

:::note
If your network is seperated with a space, use quotes for "YOUR NETWORK"
:::

Once connected, exit iwctl:

    exit

Verify your connection works:

    ping google.com

## Enabling SSH

Now that your machine is connected to the internet, enable the SSH protocol and connect to it from your outside computer.

Start SSH:

    systemctl start sshd.service

Set a password for root:

    passwd

Find the machine's IP Address:

    ip addr show

From your other computer, connect via SSH (You'll be prompted for the root password you just set)

    ssh "root@<IP-OF-THE-FIRST-PC>

## Installation Overview
Now that you're connected via SSH, you're ready to do the following:
- Create a Systemd boot partition
- Create a Linux Filesystem partition for Arch
- Encrypt your Filesystem Partition with LUKS
- Create BTRFS Sub Volumes on your Linux Filesystem partition
- Install Arch with recommended Packages


## Create the Boot and Filesystem partitions

Identify the drive on which to install Arch:

    lsblk

:::note
For this guide we'll be referencing our drive with the **nvme0n1** naming convention, remember to replace it with your drive's name when referencing it.
:::

The following commands will create two partitions, one for boot and for the filesystem:

    gdisk /dev/nvme0n1

This will begin the gdisk program / prompt. Begin by creating the
EFI partition (choose size 550M and hex code EF00):

    Command (? for help): o
    Command (? for help): n
    Enter
    Enter
    +550M
    EF00

The Boot Partition should now be created.
Let's create the File system partition.

    Command (? for help): n
    Write the new partitions to disk:
    Enter
    Enter
    Enter
    Enter

    Command (? for help): w

Now let's verify that our two partitions exist:

    lsblk

You should be able to see the two partitions available as **/dev/nvme0n1p1** and **/dev/nvme0n1p2**.

## Encryption

With your partitions set, create the encrypted container for your root file system.
Below is the command to encrypt the partition using LUKS:

    cryptsetup --cipher aes-exts-plain64 --hash sha256 --use-random --verify-passphrase luksFormat --type luks2 /dev/nvme0n1p2

Open the encrypted partition with:

    cryptsetup open /dev/nvme0n1p2 luks

:::note
("luks" is just a placeholder, you can use the name of your choice, but remember to continue the guide with your naming convention)
:::

## File System Creation
Format the EFI partition with FAT32 and give it the label EFI:

    mkfs.vfat -F32 -n EFI /dev/nvme0n1p1

Format the root partition with BTRFS and give it the label ROOT:

    mkfs.btrfs -L ROOT /dev/mapper/luks

:::note
If you didn’t open the LUKS container under the name “luks” you must adjust the command accordingly
:::

## Create and Mount Sub Volumes

Create sub volumes for root, home, the package cache, snapshots, and the entire BTRFS file system:

    mount /dev/mapper/luks /mnt
    btrfs sub create /mnt/@
    btrfs sub create /mnt/@swap
    btrfs sub create /mnt/@home
    btrfs sub create /mnt/@pkg
    btrfs sub create /mnt/@snapshots
    umount /mnt


Mount the sub volumes:

    mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@ /dev/mapper/luks /mnt
    mkdir -p /mnt/{boot,home,var/cache/pacman/pkg,.snapshots,btrfs}
    mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@home /dev/mapper/luks /mnt/home
    mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@pkg /dev/mapper/luks /mnt/var/cache/pacman/pkg
    mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvol=@snapshots /dev/mapper/luks /mnt/.snapshots
    mount -o noatime,nodiratime,compress=zstd,space_cache=v2,ssd,subvolid=5 /dev/mapper/luks /mnt/btrfs

Mount the EFI partition:

    mount /dev/nvme0n1p1 /mnt/boot

:::note
Optional - The following is for those wanting to use a swapfile.
:::

Create swap file (taken from Btrfs - Swap file and Swap file):

    cd /mnt/btrfs/@swap
    truncate -s 0 ./swapfile
    chattr +C ./swapfile
    btrfs property set ./swapfile compression none
    dd if=/dev/zero of=./swapfile bs=1M count=<FILE-SIZE-IN-MiB> status=progress
    chmod 600 ./swapfile
    mkswap ./swapfile
    swapon ./swapfile
    cd -

## Base System and /etc/fstab
With your subvolumes created and mounted, you are now ready to install Arch Linux.
For our machine we will be using [intel-ucode](https://wiki.archlinux.org/title/microcode) as the X1 has an intel CPU setup

:::note
If your machine has an AMD CPU, replace **intel-ucode** with [amd-ucode](https://archlinux.org/packages/?name=amd-ucode).
Feel free to add any other packages you want to install at this time in the command below.
:::

    pacstrap /mnt linux linux-firmware base btrfs-progs intel-ucode nano networkmanager git

Generate /etc/fstab:

    genfstab -U /mnt >> /mnt/etc/fstab

## System Configuration
This is where you'll be managing system configurations. In our case we're configuring this as an American user, but
for those of you reading outside the US, set the language and keyboard bindings to your locale.

CHROOT into the new system:

    arch-chroot /mnt/

Set the hostname:

    echo <YOUR-HOSTNAME> > /etc/hostname

Set locale:

    echo LANG=en_US.UTF-8 > /etc/locale.conf

Uncomment the following rows in /etc/locale.gen:

    en_US.UTF-8.UTF-8

Generate locale:

    locale-gen

Define hosts in /etc/hosts:

    <ip-address>	<hostname.domain.org>	<hostname>
    127.0.0.1	<YOUR-HOSTNAME>.localdomain	<YOUR-HOSTNAME>
    ::1		localhost.localdomain	localhost

Set the root user's password:

(We recommend setting a secure password for your newly created root user.)

    passwd

## Initramfs
Configure the creation of initramfs by editing /etc/mkinitcpio.conf. Edit the line `HOOKS=...` to:

    HOOKS=(base keyboard udev autodetect modconf block keymap encrypt btrfs filesystems resume)

:::note
`resume` in the above hooks is for those of you setting up a swap partition. If you don't intend to use swap, you can simply remove it.
:::

Recreate initramfs:

    mkinitcpio -p linux

## Boot Manager

Install systemd-boot:

    bootctl --path=/boot install

Create file /boot/loader/entries/arch.conf and fill it with:

    title Arch Linux
    linux /vmlinuz-linux
    initrd /intel-ucode.img
    initrd /initramfs-linux.img
    options cryptdevice=UUID=<UUID-OF-ROOT-PARTITION>:luks:allow-discards root=/dev/mapper/luks rootflags=subvol=@ rd.luks.options=discard rw

:::note
Optional - If you are using a swap, add the following to the options flag.
You will also need to follow this guide to calculate your [offset](https://wiki.archlinux.org/title/Power_management/Suspend_and_hibernate#Hibernation_into_swap_file_on_Btrfs)
:::

    resume=/dev/mapper/luks resume_offset=<YOUR-OFFSET>

Provide the UUID of your root partition:

    blkid -s UUID -o value /dev/sda2

Replace `UUID-OF-ROOT` in /boot/loader/entries/arch.conf

Edit /boot/loader/loader.conf and fill it with:

    default  arch.conf
    timeout  4
    console-mode max
    editor   no

Lastly, exit chroot, unmount your partition, and reboot:

    exit
    umount -R /mnt
    reboot

## Installation Complete

Congratulations, you now have Arch running on your laptop!

You now have an encrypted partition of Arch Linux running on your laptop with a root user and networking.

## What's left to do?
- Sign in as root on your laptop
- Setup a user with sudo privileges
- Setup a Window Manager / Desktop Environment
- Install YAY and AUR
- Generate SSH Keys
- Generate GPG Keys
- Find ways to interject into conversations that you now use Arch

### References
- [Nerd Stuff Guide](https://nerdstuff.org/posts/2020/2020-004_arch_linux_luks_btrfs_systemd-boot/)
- [EJMG's Guide](https://github.com/ejmg/an-idiots-guide-to-installing-arch-on-a-lenovo-carbon-x1-gen-6#partitioning-and-configuring)
- [AustinMorlin](https://austinmorlan.com/posts/arch_linux_install/)
